Hackers’ 5 top password cracking techniques

Cyber-attacks come in many forms and continue to evolve, but there’s one tried and trusted unauthorized entry method that’s stood the test of time – cracking a user’s password. Despite this, too many organizations still rely on outdated advice and brittle password policies. We’ll run through the five top password cracking techniques hackers use the most, as well as some tips on how to improve your chances of keeping end users’ credentials secure.

1.    Brute‑force and mask attacks

Sometimes, the only way to find a password is to attempt every possible combination of letters, numbers, and symbols. If the password is truly random, these techniques are limited and inefficient, hence the name ‘brute force’. However, against common or weak password that follow predictable patterns, brute force attacks can be highly effective.

An attacker may use a computer or a cluster of computers to attempt every possible variation. The longer the password, the more difficult and time-consuming the cracking process becomes. As an example of time taken, we recently carried out research into how long passwords with a SHA256 hash take to crack. You’ll see the cracking times range from minutes to billions of years.

Mask attacks

A brute‑force attack tries every possible combination (which becomes impractical once passwords exceed 12 random characters). But when you know part of the pattern, a mask attack slashes the time required. For example, many people have eight character passwords that with a capital letter and finish with a number or special character. Combine this with rule‑based mutations (leet speak, symbol insertion) to cover human tendencies like replacing “e” with “3” or “a” with “@” and brute force techniques can be far more effective.

2.    Dictionary and rule‑based mutations

A dictionary attack is one of the oldest and widely used password-cracking techniques. It doesn’t involve guessing every possible character combination like a brute force attack; instead it focuses  on the fact that most people choose predictable, common passwords. Users gravitate toward easy-to-remember passwords — even when passwords aren’t dictionary words, they often derive from them:

• password123
• iloveyou!
• Liverpool2023

Because of this, a well-constructed dictionary attack can crack a huge percentage of real-world passwords in minutes, especially if the system is using weak hashing (like unsalted SHA-1) or no rate-limiting.

Attackers feed a predefined list of potential passwords (the dictionary) into a cracking tool like Hashcat or John the Ripper, which runs each entry through the target’s password hash algorithm. If the resulting hash matches the one in the stolen database, the plaintext password is recovered.

Attackers use wordlists comprised of:

• Leaked password dumps (e.g., RockYou, Have I Been Pwned lists)
• Language-specific dictionaries (e.g., German, Portuguese slang wordlists)
• Thematic lists (e.g., sports teams, song lyrics, gaming handles)
• Custom lists scraped from social media and forums

Rule-based mutations

To go beyond exact matches, attackers use rule-based mutations to dynamically modify words on-the-fly. This massively increases the number of password candidates without requiring a larger dictionary file.

Examples of mutations:

• password → Password, P@ssword, password1!, passw0rd, PASSWORD
• michael → michael1990, M1chael, michael!, michael123456

Tools like Hashcat allow chaining multiple rules together in one run, applying common transformations (add digits, toggle case, reverse string, etc.) to each entry in the attacker’s dictionary.

Advanced attacks can tune a wordlist towards a specific company or person:

• Is it a corporate breach? Include company-specific jargon.
• Is it a regional attack? Add city names, cultural references, or keyboard layouts (e.g., AZERTY vs QWERTY).
• Is it a specific user? Use OSINT to mine names of pets, kids, hobbies, and birthdays.

3.    Rainbow tables

A rainbow table is a precomputed map of hash → plaintext for common passwords. Since hashing algorithms are publicly known, it’s possible to create massive lists of pre-computed password hashes that a stolen hash can be compared against. Instead of generating a new hash for every variation, they can look up the stolen hash against a table to see if it matches. There are many different hash methods and near-infinite password variations, which can quickly make managing and storing tables like this very difficult.

Against unsalted, fast hashes (like LM/NTLM in old Windows), they’re devastatingly effective. But password salting can throw a wrench in this technique. If the server adds random values to the front and end of a hash (values known only to the server), then the resulting hashes won’t match known values anymore. A unique salt per user destroys their utility, as each salt would require its own table.

4.    Credential stuffing

Users commonly use the same root password across multiple services. If one password is broken on a service, an attacker can quickly try that same password or variations on other services to which the user may have access. Known as credential stuffing, attackers will try the cracked password on multiple services to try different passwords on the same service. This can result in all of the user’s services being compromised.

With billions of leaked credentials out there, attackers don’t always need to crack a new hash from scratch. Instead, they reuse combos across popular sites, automating logins with tools like Hydra or Medusa. Even just one reused password can expose a whole enterprise.

5.    AI‑powered password guessing

Innovators have begun training neural networks on massive password lists. Unlike static dictionaries, these models learn language patterns, birthdays, keyboard walks, and pop‑culture references, then generate prioritized guesses that mirror real human creativity. Studies have shown AI‑assisted cracking tools like PassGAN can uncover roughly 50–70% of passwords on their own, and when used alongside traditional methods (e.g., Hashcat), they can boost overall cracking success over using traditional tools alone.

If AI tools continue to develop at the pace they are, it’s possible these techniques will soon eclipse all the other methods we’ve discussed.

How do we make passwords harder to crack?

Modern systems never keep passwords in plaintext form (if they do, you’ve got a problem!). Instead, they transform it through a hash function, producing a fixed‑length, seemingly random string that can’t be reversed, at least in theory. To bolster security further, most implementations layer on:

1. Salting: Adding unique, random value (16–32 bytes) appended or prepended to each password before hashing. Salts ensure that two users with the same password end up with different hashes, and render precomputed rainbow tables useless.
2. Key Derivation Functions (KDFs): Unlike fast hashes (SHA‑1, MD5), KDFs deliberately slow down computation. They let you tune time cost, memory cost, and parallelism so that each guess takes longer and consumes more resources. The three most popular today:
   • bcrypt: Built around the Blowfish cipher; uses a cost factor to ramp up iterations. Check out Specops research into bcrypt cracking times.
   • scrypt: Adds memory hardness to frustrate GPU and ASIC attackers.
   • Argon2: Offers the most flexibility.
3. Pepper: A secret, application‑wide key stored separately from the database (for instance, in an environment variable). Even if an attacker steals your database, missing the pepper means they can’t verify their guesses.

Fight back against password attacks

Password cracking and defense form a perpetual cat‑and‑mouse game. Attackers will continue inventing new tricks – cracking tools and techniques will become increasingly sophisticated and faster. It could be AI‑generated guesses today or quantum‑enhanced brute‑force tomorrow. But you can tilt the odds back in your favor.

Integrating Specops Password Policy with your Active Directory helps ensure you’re following the latest recommendations and compliance requirements. With features such as custom dictionaries and unique, customizable password policies, you can stop end users from creating weak passwords vulnerable to cracking techniques. On top of that, Specops Password Policy continuously scans your Active Directory for passwords that have become breached or compromised.

Stay ahead of hackers with securely designed password policies and root out previously cracked passwords. Book a demo today.